Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

4.1.2 upgrade TailingProcessor - File descriptor cache is full

Chris_R_
Splunk Employee
Splunk Employee
‎05-24-2010 06:38 PM

I've installed Splunk build 4.1.2 and this upgrade has introduced the following in the splunkd.log:

05-24-2010 12:58:34.695 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:37.695 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:40.956 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:43.753 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:46.465 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:48.832 INFO  TailingProcessor - File descriptor cache is full, trimming...  
05-24-2010 12:58:51.807 INFO  TailingProcessor - File descriptor cache is full, trimming...

Now that we are using the "time_before_close" parameter within most of the input stanza's we are leaving files open for longer. This I imagine is putting more pressure on Splunk to be able to open and close files as required.

As you can see from the log above, whilst not an error it is an indicator that we need to tune our Splunk instance better to cope with the large number of files that Splunk has to monitor (I would imagine around 800 per day)

can you please look into this and advise me on how to better tune our Splunk instance?

I have also tested setting various different OS values for the number of allowed open file descriptor (ulimit -n) and the Splunk max_fd (within limits.conf) but they have not resolved the issue.

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎05-24-2010 09:37 PM

So 4.1 has introduced the new tailing processor, which is now capable of handling many more files than the old version - wahoo!

The above info message just means that Splunk has more files to read but it has already reached the limit of open FD's. 3.x versions of Splunk used the max_fd setting in limits.conf so you could tune Splunk to increase this overall number, but that has not yet been added to the 4.1.x code-branch. It's coming though, and will be in the official 4.1.3 release, which is next on the list.

For now, if you're monitoring directories that contain 800 files, it's not going to be much of an issue and its just a case of Splunk cleaning up open FD's so it can move on to the next file. It will always come back and read your files again, so it shouldn't be missing out on any data.

View solution in original post

Reply
Solved! Jump to solution
Solution

Mick
Splunk Employee
Splunk Employee
‎05-24-2010 09:37 PM

So 4.1 has introduced the new tailing processor, which is now capable of handling many more files than the old version - wahoo!

The above info message just means that Splunk has more files to read but it has already reached the limit of open FD's. 3.x versions of Splunk used the max_fd setting in limits.conf so you could tune Splunk to increase this overall number, but that has not yet been added to the 4.1.x code-branch. It's coming though, and will be in the official 4.1.3 release, which is next on the list.

For now, if you're monitoring directories that contain 800 files, it's not going to be much of an issue and its just a case of Splunk cleaning up open FD's so it can move on to the next file. It will always come back and read your files again, so it shouldn't be missing out on any data.

Reply
Solved! Jump to solution

anand_singh17
Path Finder
‎09-05-2017 05:27 AM

Question:

I have one thought, that, how do we come accross setting the values for max_fd= ?

What are the rationals setting values or it's random, what feels good for us?

Some people say, increase or double in sequential way, using default value, till it resolves.

0 Karma
Reply
Solved! Jump to solution

chris
Motivator
‎06-09-2010 09:32 AM

Had the same events in splunkd.log, Micks solution works (just make sure you set a limit that is lower than the splunk users ulimit)

[inputproc]
max_fd = 256
Reply
Solved! Jump to solution

bricker
Engager
‎02-13-2015 10:07 AM

Syntax is really:

[inputproc]
max_fd = 256

Added to limits.conf.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...